Bitlocker and PCI Compliance

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I’m currently developing a .NET application to acquire and authorize
transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for
advice on how to implement the PCI (Payment Card Industry) standards which
requires data at rest be encrypted. Bitlocker maybe a solution but it is
unclear how backups and shadow copy will work. I’d appreciate hearing from
anyone who has some real world expose to this new technology and can comment
on these concerns.
 
I’m currently developing a .NET application to acquire and authorize
transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for
advice on how to implement the PCI (Payment Card Industry) standards which
requires data at rest be encrypted. Bitlocker maybe a solution but it is
unclear how backups and shadow copy will work. I’d appreciate hearing from
anyone who has some real world expose to this new technology and can comment
on these concerns.
Click to expand...

You need to discuss this with your auditor. Anything anyone says on the
newsgroups is unlikely to be accepted as official advice.

Bitlocker has no impact on backups, and it has nothing to do with shadow
copy. If you are referring to shadow copies locally, they would be on the
boot volume, and Bitlocker would encrypt the entire boot volume. Therefore,
the shadow copies would be encrypted as well. If you use BitLocker to encrypt
non-boot volumes (which is not supported in Vista) then the situation might
change.
 
Rod,

Bitlocker encrypts the local disk only. If you copy anything off the disk to
cd/floppy/tape/network/whatever, then it's not encrypted - as soon as it leaves
the disk it's in clear.

This also means that anyone connecting to the drive on the pc remotely (i.e.
they map a network drive to it) gets to see the data in clear. But then if you
don't enable file sharing on the pc then that shouldn't be an issue.

If you don't allow remote access, and any copies/backups you take are
encrypted by a.n.other means, then you're probably ok PCI-wise.

But anyway, are you running this on a Vista PC? I'd have expected such an
application to be run on a server, and currently released server o/s's - i.e.
Windows 2003 - don't support bitlocker. For those you'd be looking at EFS or
a.n.other 3rd party solution.

I’m currently developing a .NET application to acquire and authorize 
transactions from Visa, Mastercard, ATMs and POS devices. I’m looking for 
advice on how to implement the PCI (Payment Card Industry) standards which 
requires data at rest be encrypted. Bitlocker maybe a solution but it is 
unclear how backups and shadow copy will work. I’d appreciate hearing from 
anyone who has some real world expose to this new technology and can comment 
on these concerns. 
Click to expand...


Neil Pike. Protech Computing Ltd
 
The app is server based. Bitlocker runs on Longhorn. So far here are my
options:
1) Column level hashing (no need to return it to clear state) or shared
secret encryption.
2) Bitlocker on longhorn
3) third party like vormetric.

Option 1 seems best when some small portion of overall data needs
protection. Flat files that contain the data for use downstream become a
problem. Lots of programming needed.
Option 2 works for data at rest, once an authticated user with read
permission gets the data it can leave the server in clear. This is true for
backups. I think shadow copy would write data encrypted.
Option 3 -- is like option 2 except it adds additional security layer to
make sure admins (and any user w/o permission) can read the data but get it
returned encrypted.
 
Rod,

If it's server based then if you use bitlocker, what's going to happen when
the server is rebooted? If you're prompting for a password/pin then that's
going to stop the server coming up automatically. Leaving a USB key
permanently attached wouldn't be great for security.

The app is server based. Bitlocker runs on Longhorn. So far here are my 
options:
1) Column level hashing (no need to return it to clear state) or shared 
secret encryption.
2) Bitlocker on longhorn
3) third party like vormetric.

Option 1 seems best when some small portion of overall data needs 
protection. Flat files that contain the data for use downstream become a 
problem. Lots of programming needed.
Option 2 works for data at rest, once an authticated user with read 
permission gets the data it can leave the server in clear. This is true for 
backups. I think shadow copy would write data encrypted.
Option 3 -- is like option 2 except it adds additional security layer to 
make sure admins (and any user w/o permission) can read the data but get it 
returned encrypted. 
Click to expand...


Neil Pike. Protech Computing Ltd
 
Back
Top